ENISA launches investigation on data breach notification rules
January 16, 2011
A new European Union study has identified Internet security, risk prioritisation, law enforcement and a need for more and better resources as key issues in applying new data breach notification rules in Europe.
ENISA, the European Unions’s new Internet security agency, launched its investigation on data breach notification rules against a series of new security events and a steadily rising incident rate of personal information disclosure breaches.
ENISA identified key concerns from both telecom operators and the Data Protection Authorities (DPA) in applying a recent ePrivacy Directive that applied security breach notification rules to the electronic communications industry.
The agency hopes this new research will help to develop best practices and new processes on breach notification as well as informing ministerial decisions on whether EU data breach disclosure rules first applied to telcos and Internet Service Providers ought to extended to financial service firms and other sectors of the economy in the EU.
Key concerns raised by telecom operators and DPAs interviewed by ENISA include:
The agency intends to use its research in analyzing the possibility for extending the general obligation of data breach notification to other segments as well, such as the financial sector, health care and small businesses.
The issue of security breaches will be discussed at an ENISA-organized workshop in Brussels next Monday, on Jan. 24.
Causes for concern
On Jan. 12, a German Internet security researcher was successful in tapping into Amazon's Cloud Computing Services to crack open WiFi passwords in a fraction of the time and for a tiny percentage of the cost of using his own equipment.
Thomas Roth used custom software running on Amazon's Elastic Compute (EC) Cloud service to break into a WPA-PSK protected network in under 21 minutes. With improvements to his software, he said he could even cut the time down to about 6 minutes.
With EC2 computers available for about twenty-eight cents per minute, the cost of the hack attack came to just $1.68.
“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a lot of money to do so. But it's relatively easy to brute force them,” said Roth.
Roth is the same researcher who in November used Amazon's cloud services to brute force SHA-1 hashes as well. He said he cracked fourteen hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes.
Roth added that at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made good use of “Cluster GPU Instances” of Amazon's EC2 service.
As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a specific network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.
Roth's latest software uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a jumbo computer. He is scheduled to present his findings at next week's Black Hat security conference in Washington, DC.
You can link to the Internet Security web site as much as you like.